Category: InfoSec

Chinese hackers exploiting VMware zero-day since October 2024

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/chinese-hackers-exploiting-vmware-zero-day-since-october-2024/

ONE SENTENCE SUMMARY:

Broadcom fixed a high-severity privilege escalation vulnerability exploited by the Chinese threat actor UNC5174 in VMware software.

MAIN POINTS:

  1. Broadcom patched a severe vulnerability in VMware Aria Operations and VMware Tools.
  2. The vulnerability, CVE-2025-41244, was exploited since October 2024 by UNC5174.
  3. NVISO researcher Maxime Thiebaut reported the bug in May 2025.
  4. Exploitation depends on placing a malicious binary in specific paths.
  5. NVISO released a proof-of-concept demonstrating privilege escalation.
  6. UNC5174 is linked to China’s Ministry of State Security (MSS).
  7. UNC5174 exploited multiple vulnerabilities in U.S., UK, and Canadian institutions.
  8. Broadcom also fixed two VMware NSX vulnerabilities reported by the NSA.
  9. In March, Broadcom resolved three other zero-day bugs reported by Microsoft.
  10. Password cracking incidents increased from 25% to 46% of environments.

TAKEAWAYS:

  1. Broadcom’s quick response mitigated a critical security threat.
  2. UNC5174 continues to exploit network vulnerabilities for espionage activities.
  3. Collaboration between researchers and companies is crucial for timely vulnerability reporting.
  4. The increasing rate of password cracking emphasizes the need for improved security.
  5. Vigilance and proactive patching are essential to protect against state-sponsored attacks.

EDR-Freeze – Forensic Analysis of an EDR Coma Attack

Source: itamarhall.github.io

Author: unknown

URL: https://itamarhall.github.io/Tracepoint/blog/writeups/edr-freeze-investigation/

ONE SENTENCE SUMMARY:

EDR-Freeze demonstrates how attackers can temporarily suspend EDR processes using Windows components, impacting defender visibility and requiring advanced forensic detection.

MAIN POINTS:

  1. EDR-Freeze uses Windows Error Reporting to suspend EDR processes temporarily.
  2. Involves WerFaultSecure.exe and DbgHelp’s MiniDumpWriteDump components.
  3. Process appears suspended in memory, affecting telemetry.
  4. Volatility tools help identify forensic artifacts left by EDR-Freeze.
  5. Memory forensics reveals suspended threads and handles used.
  6. File activity observed with temporary t.txt creation.
  7. Imports like MiniDumpWriteDump show potential for process suspension.
  8. YARA rules help detect EDR-Freeze’s presence in binaries and memory.
  9. Source code explains observed memory and file artifacts.
  10. Showcases the risk of trusted OS components being used maliciously.

TAKEAWAYS:

  1. Detection goes beyond logs to include memory analysis and forensic investigation.
  2. YARA rules can catch both binary and behavioral indicators of EDR-Freeze.
  3. EDR processes are vulnerable to suspension without kernel exploits.
  4. Highlights the potential abuse of trusted Windows components by attackers.
  5. Encourages focus on memory forensics as a crucial part of incident response.

Who’s Minding the Machines? The Identity Crisis Nobody Owns

Source: BankInfoSecurity.com RSS Syndication

Author: unknown

URL: https://www.bankinfosecurity.com/whos-minding-machines-identity-crisis-nobody-owns-a-29594

ONE SENTENCE SUMMARY:

Machine identities surpass human ones, yet lack clear ownership; enterprises must establish accountability and rigorous management to mitigate risks.

MAIN POINTS:

  1. Machine identities outnumber human users in many organizations, lacking HR system visibility.
  2. Microsoft and CrowdStrike highlight threat of compromised service accounts used for privilege escalation.
  3. NIST stresses treating machine identities with the same rigor as human identities.
  4. Current governance models fail to keep pace with automation and machine identity management.
  5. Experts disagree on responsibility for machine identities, suggesting varied approaches based on culture.
  6. Machine identities can remain dormant, posing lifecycle management challenges.
  7. Regulators enforce strict measures on machine credential management similar to human accounts.
  8. Mismanagement leads to attacks exploiting blind spots, complicating compliance and response challenges.
  9. Companies face liabilities in breaches; accountability often misaligned internally among security teams.
  10. Contracts with IT providers now include machine identity obligations to clarify accountability and response.

TAKEAWAYS:

  1. Clear ownership and accountability of machine identities are crucial for security.
  2. Proper lifecycle management prevents dormant credentials from becoming vulnerabilities.
  3. Contractual obligations enhance accountability and speed up incident response.
  4. Boardrooms must prioritize machine identity governance to mitigate risks.
  5. Effective collaboration between IT, security, and business is essential for success.

Hackers Compromise Active Directory to Steal NTDS.dit that Leads to Full Domain Compromise

Source: Cyber Security News

Author: Florence Nightingale

URL: https://cybersecuritynews.com/active-directory-breach-exfiltrate-ntds/

ONE SENTENCE SUMMARY:

Attackers exploited Active Directory vulnerabilities to extract NTDS.dit, risking full domain compromise, while advanced detection helped mitigate the threat.

MAIN POINTS:

  1. Active Directory is critical for Windows authentication and authorization.
  2. NTDS.dit database targeting allows access to all domain credentials.
  3. Native Windows utilities were used for NTDS.dit extraction.
  4. Attackers gained DOMAIN ADMIN through phishing and privilege escalation.
  5. Volume Shadow Copy creation bypassed file locks to access NTDS.dit.
  6. Secretsdump.py decrypted hashes without triggering traditional alarms.
  7. Data was exfiltrated over SMB to a compromised file share.
  8. Trellix detected the attack via anomalous SMB patterns and custom signatures.
  9. AI-driven alert correlation reduced analyst workload by 60%.
  10. NTDS.dit theft poses severe risks to Windows domain security.

TAKEAWAYS:

  1. Protecting Active Directory is crucial to securing Windows environments.
  2. Phishing remains a potent entry point for attackers.
  3. Advanced detection methods, including AI, are essential for recognizing subtle attacks.
  4. Exfiltration techniques can evade standard defenses but are detectable with high-fidelity tools.
  5. The compromise of NTDS.dit endangers entire domain security.

Urgent: Cisco ASA Zero-Day Duo Under Attack; CISA Triggers Emergency Mitigation Directive

Source: The Hacker News

Author: The Hacker News

URL: https://thehackernews.com/2025/09/urgent-cisco-asa-zero-day-duo-under.html

ONE SENTENCE SUMMARY:

Cisco urges immediate patching of critical zero-day vulnerabilities in VPN software, exploited by threat actors to execute remote attacks.

MAIN POINTS:

  1. Cisco warns of two zero-day flaws in ASA and FTD software.
  2. CVE-2025-20333 allows authenticated attackers to execute arbitrary code as root.
  3. CVE-2025-20362 enables unauthorized access to restricted URLs.
  4. Both vulnerabilities are being actively exploited in the wild.
  5. Potential exploitation may involve chaining both flaws for authentication bypass.
  6. The flaws are linked to the ArcaneDoor threat cluster and UAT4356 actor.
  7. CISA issues emergency directive for immediate mitigation efforts.
  8. The vulnerabilities are included in the Known Exploited Vulnerabilities catalog.
  9. The attacks include persistent memory manipulation across reboots and upgrades.
  10. Firepower appliances with Secure Boot can detect ROM manipulation attempts.

TAKEAWAYS:

  1. Immediate patching of VPN software is essential to prevent remote code execution.
  2. Awareness of ArcaneDoor’s campaign is crucial for network defense strategies.
  3. Rapid response following CISA’s directive can mitigate potential threats.
  4. Understanding the vulnerabilities aids in recognizing threat actor tactics.
  5. Monitoring Firepower systems’ Secure Boot can help detect ROM attacks.

Accurate Classification that Scales: The Right Tool for the Right Job 

Source: Varonis Blog

Author: Ed Lin

URL: https://www.varonis.com/blog/scaling-accurate-classification

ONE SENTENCE SUMMARY:

Data discovery and classification are crucial for security, compliance, and safe AI adoption, requiring accurate, scalable, and automated methods.

MAIN POINTS:

  1. Data classification forms the base for security and compliance, especially with the rise of AI.
  2. Most organizations struggle with identifying and managing sensitive data effectively.
  3. Legacy and AI-only approaches to data classification have significant limitations.
  4. Effective classification should be versatile, combining multiple approaches like pattern-based and AI-assisted methods.
  5. Avoid shortcuts like sampling, which create blind spots in data security.
  6. The Varonis platform offers a comprehensive strategy for data discovery, classification, and security.
  7. Automated classification leads to improved data security and reduced manual effort.
  8. Data residency and privacy concerns are addressed with in-region processing and encryption.
  9. Real-world use cases demonstrate successful deployment of data security and AI tools.
  10. Accurate data classification strengthens various protective measures and supports safe AI use.

TAKEAWAYS:

  1. Effective data classification is key to security and compliance.
  2. Combining different classification methods increases accuracy and scalability.
  3. Automation reduces effort and accelerates security outcomes.
  4. Data privacy is maintained through secure processing practices.
  5. Real-world success stories underscore the benefits of precise classification.

Cisco warns of IOS zero-day vulnerability exploited in attacks

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/cisco-warns-of-ios-zero-day-vulnerability-exploited-in-attacks/

ONE SENTENCE SUMMARY:

Cisco issued security updates for a critical zero-day vulnerability in IOS and IOS XE Software, urging immediate upgrades to prevent exploitation.

MAIN POINTS:

  1. Affected products include Cisco IOS and IOS XE Software with enabled SNMP.
  2. Vulnerability, CVE-2025-20352, is due to a stack-based buffer overflow in SNMP.
  3. Low-privileged remote attackers can exploit it for denial-of-service (DoS).
  4. High-privileged attackers can achieve root access and full system control.
  5. Exploitation involves sending a crafted SNMP packet over IPv4/IPv6 networks.
  6. No existing workarounds; upgrades to patched software are essential.
  7. Temporary mitigation includes limiting SNMP access to trusted users.
  8. Cisco also patched 13 other vulnerabilities, including cross-site scripting (XSS).
  9. Proof-of-concept exploits are available for some vulnerabilities.
  10. Previous vulnerabilities were fixed, enhancing Wireless LAN Controllers’ security.

TAKEAWAYS:

  1. Immediate upgrade to patched software is crucial to prevent exploitation.
  2. Vulnerability involves severe risks like system control and DoS conditions.
  3. Limiting SNMP access temporarily mitigates risk until patch application.
  4. Awareness of other patched vulnerabilities can enhance overall security.
  5. Cisco remains proactive in addressing multiple security threats promptly.

Double agents: How adversaries can abuse “agent mode” in commercial AI products

Source: The Red Canary Blog: Information Security Insights

Author: Alex Walston

URL: https://redcanary.com/blog/threat-detection/ai-agent-mode/

ONE SENTENCE SUMMARY:

AI tools like ChatGPT’s agent mode raise security concerns about increased vulnerability to malicious attacks targeting cloud, identity, and endpoints.

MAIN POINTS:

  1. New AI tools increase potential attack surfaces in cloud, identity, and endpoint domains.
  2. OpenAI’s ChatGPT agent mode performs complex online tasks by reasoning and taking actions on users’ behalf.
  3. AI agents’ widespread adoption could lead to customized enterprise AI tools.
  4. Users granting AI access to accounts may increase phishing attack risks like AIitM.
  5. A proof-of-concept AIitM attack shows potential vulnerabilities despite user skepticism.
  6. Agent mode requires user authentication for actions like logging into websites.
  7. AIitM exploits social engineering to trick agents into leading users to phishing sites.
  8. Protective features in AI tools can be bypassed using custom infrastructure with valid SSL certificates.
  9. Malicious prompts use assertive language to create a false sense of safety.
  10. AI’s autonomous task execution poses new challenges in ensuring secure interactions.

TAKEAWAYS:

  1. Vigilance is needed as AI tools create new security vulnerabilities.
  2. Understanding AI’s task execution is crucial to mitigating risks.
  3. Protective measures must evolve to keep up with sophisticated threats.
  4. Enterprises should consider custom AI agents’ security implications.
  5. Users must remain aware of phishing techniques targeting AI functionalities.

Cyber Threat Detection Vendors Pull Out of MITRE Evaluations Test

Source: Infosecurity Magazine

Author: Kevin Poireault

URL: https://www.infosecurity-magazine.com/news/cyber-vendors-pull-out-mitre/

ONE SENTENCE SUMMARY:

Major cybersecurity providers withdrew from MITRE’s 2025 EDR test, citing product innovation focus and concerns over test relevancy.

MAIN POINTS:

  1. Microsoft, SentinelOne, and Palo Alto withdrew from MITRE’s 2025 EDR evaluation.
  2. Concerns arise about the program’s future and relevance.
  3. The companies prioritize product development over participation.
  4. MITRE’s test increasingly viewed as promotional rather than achieving security gains.
  5. ATT&CK framework was introduced in 2015 by MITRE for mapping cyber adversaries.
  6. Testing uses simulated attacks with MITRE’s Caldera platform.
  7. Tests are not a longitudinal benchmark due to annual differences.
  8. 2025 scenarios include financially motivated and Chinese-aligned cyber-espionage actors.
  9. MITRE plans to re-establish its vendor forum in 2026.
  10. Despite withdrawals, a dozen vendors engaged with the 2025 test.

TAKEAWAYS:

  1. Test participation demands significant resources from cybersecurity companies.
  2. Increasingly challenging tests may impact participation decisions.
  3. MTIRE intends to address concerns by reviving the vendor forum.
  4. Tests are criticized as being more about PR than real security gains.
  5. Ongoing participation signals the value of these evaluations to some vendors.

Service Accounts in Active Directory: These OG NHIs Could Be Your Weakest Link

Source: Tenable Blog

Author: Sonya Wilcox

URL: https://www.tenable.com/blog/service-accounts-in-active-directory-these-og-nhis-could-be-your-weakest-link

ONE SENTENCE SUMMARY:

Securing Active Directory service accounts by fixing common misconfigurations can significantly reduce risk from non-human identities in IT environments.

MAIN POINTS:

  1. Non-human identities (NHIs) are crucial in identity management, often overpermissioned and under-secured.
  2. NHIs include service accounts, API keys, OAuth tokens, and cloud workloads.
  3. Active Directory service accounts are critical and often misconfigured, posing significant security risks.
  4. Kerberoasting exploits Kerberos to harvest password hashes from accounts with SPNs.
  5. Unconstrained Kerberos delegation allows servers to impersonate users, risking credential theft.
  6. Managed Service Accounts (MSAs) offer secure management but require proper configuration.
  7. Remediating Kerberoastable accounts involves using unprivileged or group managed service accounts.
  8. Delegation settings should ideally have “Do not trust this computer for delegation” enabled.
  9. Regularly cleaning up and managing NHIs is crucial for maintaining cyber hygiene.
  10. Solutions like Tenable can help identify and remediate NHI vulnerabilities in Active Directory.

TAKEAWAYS:

  1. Secure and regularly monitor service accounts to prevent overscoping and overpermissioning.
  2. Address Kerberoastable accounts by using stronger encryption and unprivileged accounts.
  3. Properly configure unconstrained delegation to avoid potential credential theft.
  4. Leverage solutions like Tenable for visibility into misconfigurations and attack paths.
  5. Make NHI management part of routine cybersecurity practices to mitigate risks effectively.

Controls vs. Key Security Indicators: Rethinking Compliance for FedRAMP

Source: Cloud Security Alliance

Author: unknown

URL: https://cloudsecurityalliance.org/articles/controls-vs-key-security-indicators-rethinking-compliance-for-fedramp

ONE SENTENCE SUMMARY:

Key Security Indicators (KSIs) enhance FedRAMP authorization by providing real-time insights, reducing compliance burdens, and automating security processes.

MAIN POINTS:

  1. Traditional security controls in FedRAMP are derived from NIST SP 800-53 requirements.
  2. KSIs offer real-time, automated metrics reflecting current security posture and outcomes.
  3. KSIs originate from Continuous Diagnostics and Mitigation (CDM) and Continuous Controls Monitoring (CCM).
  4. They provide real-time visibility and operational relevance, simplifying audits and improving risk management.
  5. Security controls remain essential for regulatory alignment and assurance structure.
  6. KSIs complement, not replace, traditional controls for continuous monitoring effectiveness.
  7. Automation with KSIs can significantly lower FedRAMP barriers for organizations.
  8. KSIs facilitate automation-first compliance, reducing manual documentation needs.
  9. They support agile environments with continuous, accessible security evidence.
  10. KSIs are pivotal as FedRAMP transitions towards continuous authorization.

TAKEAWAYS:

  1. KSIs shift compliance focus from checking boxes to measuring outcomes.
  2. They enhance FedRAMP readiness by reducing compliance overhead.
  3. Real-time KSI metrics provide continuous insights into security performance.
  4. Integrating KSIs can streamline authorization processes, especially in agile settings.
  5. The future of compliance will likely embrace KSIs for continuous monitoring.

New EDR-Freeze Tool That Puts EDRs and Antivirus Into A Coma State

Source: Cyber Security News

Author: Guru Baran

URL: https://cybersecuritynews.com/edr-freeze-tool/

ONE SENTENCE SUMMARY:

EDR-Freeze is a tool that suspends EDR and antivirus processes using Windows functions, enabling stealthy system compromise.

MAIN POINTS:

  1. EDR-Freeze places EDR and antivirus in a suspended state using Windows functions.
  2. Avoids using vulnerable drivers, reducing detection risk.
  3. Utilizes MiniDumpWriteDump to suspend process threads indefinitely.
  4. Bypasses Protected Process Light via WerFaultSecure.exe’s high privilege.
  5. Initiates a race-condition attack to prolong process suspension.
  6. Requires only Process ID and suspension duration as parameters.
  7. Allows attacker actions without permanent disabling of security software.
  8. Tested successfully on Windows Defender’s MsMpEng.exe process.
  9. Demonstration released to showcase the technique.
  10. Detection requires monitoring unusual WerFaultSecure.exe activity on sensitive PIDs.

TAKEAWAYS:

  1. EDR-Freeze exploits legitimate Windows components for stealthy attacks.
  2. Reduces dependency on vulnerable drivers for disabling security.
  3. Security tools must monitor specific executions for potential threats.
  4. Demonstrates sophisticated manipulation of Windows functions.
  5. Highlights the need for vigilance against advanced attack techniques.

Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/09/microsoft-patches-critical-entra-id.html

ONE SENTENCE SUMMARY:

A critical vulnerability in Microsoft Entra ID could allow attackers to impersonate users across tenants, granting access to sensitive resources.

MAIN POINTS:

  1. Vulnerability CVE-2025-55241 allows cross-tenant impersonation in Microsoft Entra ID.
  2. It’s rated a maximum CVSS score of 10.0, highlighting its severity.
  3. Discovered by Dirk-jan Mollema, it affects all tenants except national clouds.
  4. Exploit involves flawed validation in the Azure AD Graph API.
  5. Exploitation bypasses MFA, Conditional Access, and leaves no traces.
  6. Global Admin impersonation could lead to full tenant compromise.
  7. The legacy API responsible is officially deprecated as of August 2025.
  8. Similar vulnerabilities in Exchange Server and cloud services were also disclosed.
  9. API Connections facilitate cross-tenant access to backend resources.
  10. Misconfigurations can lead to widespread data theft and follow-on attacks.

TAKEAWAYS:

  1. Critical flaws in legacy APIs can lead to severe security breaches.
  2. Cross-tenant access allows impersonation of high-privilege roles like Global Admins.
  3. Deprecated services like Azure AD Graph must be urgently replaced.
  4. Security depends on thorough validation and monitoring of access points.
  5. Misconfigurations in cloud environments pose ongoing risks to data security.

Identity Security: Cloud’s Weakest Link in 2025

Source: Cloud Security Alliance

Author: unknown

URL: https://cloudsecurityalliance.org/articles/identity-security-cloud-s-weakest-link-in-2025

ONE SENTENCE SUMMARY:

Identity security has become the primary concern in cloud environments, with breaches often stemming from identity-related issues and misconfigurations.

MAIN POINTS:

  1. Identity security is now the top concern in cloud environments.
  2. Hybrid and multi-cloud setups make identity a prime target for attackers.
  3. Identity-related breaches often arise from excessive permissions and weak hygiene.
  4. Misconfigured cloud services contribute to a significant number of breaches.
  5. Zero Trust and least privilege are emerging as key priorities for organizations.
  6. Governance and operations haven’t kept pace with identity security needs.
  7. Effective measurement involves real-time identity risk exposure signals.
  8. Unifying governance across cloud environments enhances security.
  9. AI adoption introduces new identity security challenges.
  10. Executive leadership alignment is crucial for effective risk management.

TAKEAWAYS:

  1. Prioritize Zero Trust and least privilege to improve identity security.
  2. Enhance governance with unified policies across cloud environments.
  3. Measure identity risk using real-time signals, not just adoption rates.
  4. Address AI identity risks with the same rigor as cloud security.
  5. Align executive leadership to transition from reactive to risk-reducing strategies.

How Top CISOs Approach Exposure Management in the Context of Managing Cyber Risk

Source: Tenable Blog

Author: Robert Huber

URL: https://www.tenable.com/blog/how-top-cisos-approach-exposure-management-in-the-context-of-managing-cyber-risk

ONE SENTENCE SUMMARY:

CISOs view exposure management as a strategic approach to enhance security, improve risk communication, and address AI challenges.

MAIN POINTS:

  1. Exposure management is strategic for proactive security and addressing various challenges like AI security and vulnerability remediation.
  2. It helps CISOs communicate effectively with boards about cyber risks and strategic priorities.
  3. The Council acts as a confidential forum for sharing insights and strategies for enterprise-wide exposure management.
  4. Exposure management unifies risk scoring, surpassing traditional vulnerability management limitations.
  5. It incorporates CVSS scores, EPSS data, threat intelligence, and business context for better risk prioritization.
  6. Emphasizes AI security as an essential focus due to its growing attack surface and threat potential.
  7. Aims to monitor security controls effectiveness through improved attack surface management and visibility.
  8. The Council aspires to establish principles and best practices for exposure management as a strategic discipline.
  9. Future reports and updates are planned to advance exposure management.
  10. Exposure management seeks to create standardized processes akin to accounting’s GAAP for risk measurement.

TAKEAWAYS:

  1. Exposure management improves strategic security and risk communication.
  2. It provides unified and comprehensive risk scoring approaches.
  3. AI security is a significant focus area for exposure management.
  4. The Council promotes sharing best practices and strategies among senior leaders.
  5. Future efforts aim to standardize exposure management practices strategically.

Google Patches Chrome Zero-Day CVE-2025-10585 as Active V8 Exploit Threatens Millions

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/09/google-patches-chrome-zero-day-cve-2025.html

ONE SENTENCE SUMMARY:

Google released Chrome updates to fix four vulnerabilities, including the actively exploited zero-day CVE-2025-10585 in the V8 engine.

MAIN POINTS:

  1. Google released security updates for Chrome targeting four vulnerabilities.
  2. The zero-day vulnerability CVE-2025-10585 is actively exploited.
  3. CVE-2025-10585 involves type confusion in the V8 JavaScript engine.
  4. Type confusion can lead to arbitrary code execution and program crashes.
  5. Google’s Threat Analysis Group discovered the flaw on September 16, 2025.
  6. Details of real-world exploitation are kept private to prevent further abuse.
  7. CVE-2025-10585 is the sixth actively exploited zero-day this year.
  8. Other affected zero-days in 2025 include CVE-2025-2783 and CVE-2025-6558.
  9. Users should update Chrome to versions 140.0.7339.185/.186 or later.
  10. Updates should also be applied to other Chromium-based browsers.

TAKEAWAYS:

  1. Stay updated with the latest Chrome version to prevent exploitation.
  2. Type confusion vulnerabilities pose significant security risks.
  3. Regularly check for browser updates, especially in Chromium-based browsers.
  4. Zero-day exploits are actively targeted; vigilance is crucial.
  5. Google prioritizes user security by quickly addressing and disclosing vulnerabilities.

Microsoft: WMIC will be removed after Windows 11 25H2 upgrade

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/microsoft/microsoft-wmic-will-be-removed-after-windows-11-25h2-upgrade/

ONE SENTENCE SUMMARY:

Microsoft will remove the WMIC tool from Windows 11 25H2, recommending PowerShell instead to enhance security and reduce complexity.

MAIN POINTS:

  1. Windows 11 25H2 and later will not include the WMIC tool.
  2. WMIC allows interaction with WMI using text commands.
  3. Microsoft advises using PowerShell for WMI tasks and scripts.
  4. The removal only affects the WMIC component, not WMI itself.
  5. Microsoft provides guidance for transitioning from WMIC.
  6. WMIC was deprecated in Windows Server 2012 and Windows 10 21H1.
  7. WMIC became a Feature on Demand starting with Windows 11 22H2.
  8. Removal aims to enhance security by preventing malware exploitation.
  9. WMIC has been used in attacks to delete data and bypass security.
  10. The shift to PowerShell provides a more efficient and secure solution.

TAKEAWAYS:

  1. Transition to PowerShell for future administrative tasks involving WMI.
  2. Microsoft’s move is part of enhancing security and reducing system complexity.
  3. WMIC’s removal prevents its exploitation in malware attacks.
  4. Updating internal documentation is crucial during this transition.
  5. Microsoft prioritizes modern tools and methods for achieving greater efficiency.

Insider blamed for FinWise data breach affecting nearly 700K

Source: theregister.com

Author: unknown

URL: https://www.theregister.com/2025/09/15/finwise_insider_data_breach/

ONE SENTENCE SUMMARY:

A former employee potentially accessed sensitive data of nearly 700,000 FinWise Bank customers, leading to significant security concerns.

MAIN POINTS:

  1. 700,000 customers potentially affected by data access breach.
  2. Data includes information linked to American First Finance installment loans.
  3. Incident occurred on May 31, 2024, detected June 18, 2023.
  4. Type of data involved was not publicly disclosed.
  5. Investigations involved outside cybersecurity experts.
  6. Customers receive 12 months of free credit monitoring.
  7. FinWise joins other companies affected by insider attacks.
  8. Insider breaches include bribery and accidental data transmissions.
  9. RUSI highlights gaps in personnel security strategies.
  10. Calls for enhanced internal security culture in organizations.

TAKEAWAYS:

  1. Insider threats pose significant risks to data security.
  2. Timely detection and response are crucial for mitigating damage.
  3. Organizations should bolster internal trust and security awareness.
  4. Cross-departmental collaboration is vital for identifying insider threats.
  5. External cybersecurity expertise can aid in thorough incident investigations.

20 Popular npm Packages With 2 Billion Weekly Downloads Compromised in Supply Chain Attack

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html

ONE SENTENCE SUMMARY:

A phishing attack on a maintainer of npm packages led to a software supply chain attack affecting 20 popular packages.

MAIN POINTS:

  1. Maintainer’s account compromised via phishing email mimicking npm support.
  2. Attack targeted Josh Junon, co-maintainer of several npm packages.
  3. 20 npm packages affected; over 2 billion weekly downloads.
  4. Malware intercepts cryptocurrency transactions, alters destination wallet.
  5. Payload acts as a browser-based interceptor hijacking network traffic.
  6. Attack exploits trust in npm and PyPI package ecosystems.
  7. Techniques include typosquatting and exploiting AI-hallucinated dependencies.
  8. 14 of 23 crypto-related attacks in 2024 targeted npm.
  9. Targeting developers is strategic for reaching wide audiences.
  10. Package takeovers commonly used by advanced persistent threat groups.

TAKEAWAYS:

  1. Vigilance and security in CI/CD pipelines are crucial.
  2. Increasing attacks on software supply chain platforms like npm.
  3. Popular open source packages remain high-value targets.
  4. Developers need awareness of phishing and security practices.
  5. Strengthening account security and monitoring is essential.

Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-patch-tuesday-fixes-81-flaws-two-zero-days/

ONE SENTENCE SUMMARY:

The document outlines significant Azure and Microsoft vulnerabilities across different services, with varying severity levels, requiring urgent attention.

MAIN POINTS:

  1. Azure Networking, Arc, Bot Service, and Entra have critical elevation of privilege vulnerabilities.
  2. Graphics Kernel features multiple remote code execution vulnerabilities marked as critical.
  3. Microsoft Office components are affected by various important vulnerabilities, mainly remote code execution.
  4. Windows Hyper-V roles face numerous important elevation of privilege vulnerabilities.
  5. Windows Defender Firewall Service is affected by several important elevation of privilege vulnerabilities.
  6. Win32K and SMB are linked to critical vulnerabilities requiring immediate action.
  7. Xbox-associated services contain critical information disclosure and elevation of privilege vulnerabilities.
  8. SQL Server and Windows services face multiple information disclosure vulnerabilities.
  9. Microsoft Edge presents several vulnerabilities with unknown severity levels.
  10. Addressing these vulnerabilities is crucial to prevent exploitation and maintain system security.

TAKEAWAYS:

  1. Critical vulnerabilities in Azure Networking, Bot Service, and Entra need immediate remediation.
  2. Microsoft Office and Excel require updates to mitigate remote code execution risks.
  3. Hyper-V and Defender Firewall are critical areas needing consistent monitoring.
  4. Regular updates necessary for Xbox and Windows components due to severe vulnerabilities.
  5. Edge maintenance is key despite unknown risks in implementations.

Huge NPM Supply-Chain Attack Goes Out With Whimper

Source: Dark Reading

Author: Alexander Culafi

URL: https://www.darkreading.com/application-security/huge-npm-supply-chain-attack-whimper

ONE SENTENCE SUMMARY:

Threat actors compromised Qix’s NPM account, distributing malicious versions of 18 popular packages with over 2 billion weekly downloads.

MAIN POINTS:

  1. Attackers gained unauthorized access to Qix’s NPM account.
  2. They published corrupted versions of 18 open-source packages.
  3. The affected packages are highly popular, totaling over 2 billion weekly downloads.
  4. The incident reveals significant security vulnerabilities in the software supply chain.
  5. These packages are widely used across various applications and platforms.
  6. The poisoning of packages poses severe risks to projects relying on them.
  7. Organizations need to implement stronger security measures to protect credentials.
  8. Developers must verify package integrity to avoid integrating compromised versions.
  9. The attack emphasizes the importance of regular security audits in development environments.
  10. Vigilance against phishing and other attacks is crucial for maintaining software security.

TAKEAWAYS:

  1. Strengthen security protocols to safeguard against account compromise.
  2. Regularly audit open-source package integrity and provenance.
  3. Foster a culture of cybersecurity awareness among developers.
  4. Implement advanced measures to detect and respond to threats rapidly.
  5. Prioritize protection strategies for the software supply chain infrastructure.

Machine Identities: Definition, How They Work, and Security Best Practices

Source: Cloud Security Alliance

Author: unknown

URL: https://veza.com/blog/what-is-machine-identity/

ONE SENTENCE SUMMARY:

Machine identities outnumber human identities, posing significant security challenges; they require robust management to prevent cyberattacks.

MAIN POINTS:

  1. Machine identities outnumber human identities by 17:1.
  2. SolarWinds breach highlighted machine identity security vulnerabilities.
  3. Machine identities include apps, IoT devices, and APIs.
  4. They’re essential for automated workflows and cloud environments.
  5. Weak management leads to unauthorized access and network attacks.
  6. Distinction between machine identities and service accounts.
  7. PKI underpins machine identity security.
  8. CAs issue digital certificates for machine identities.
  9. Comprehensive lifecycle management is required for security.
  10. Automation is crucial for managing vast machine identity volumes.

TAKEAWAYS:

  1. Machine identity security is crucial for preventing cyberattacks.
  2. Mismanaged certificates lead to significant security risks.
  3. PKI and CAs are integral to machine identity validation.
  4. Automation is necessary for efficient machine identity management.
  5. Regular audits and monitoring can mitigate security vulnerabilities.

Cybersecurity signals: Connecting controls and incident outcomes

Source: Help Net Security

Author: Anamarija Pogorelec

URL: https://www.helpnetsecurity.com/2025/09/01/cric-cybersecurity-signals/

ONE SENTENCE SUMMARY:

A study identifies key cybersecurity measures, including incident response planning, EDR, and comprehensive training, critical for minimizing breach risks.

MAIN POINTS:

  1. Incident response planning enhances resilience and reduces breach incidents through tabletop exercises and red-team tests.
  2. Endpoint detection and response tools decrease breach risk, particularly with full deployment and blocking mode usage.
  3. Multi-factor authentication’s effectiveness hinges on its comprehensive, phishing-resistant implementation across all accounts.
  4. Security operations centers’ effectiveness is boosted by 24×7 monitoring, threat intelligence, and SIEM platform optimization.
  5. Quality of cyber awareness training, focusing on advanced tactics and realistic simulations, outweighs session frequency.
  6. Higher patching frequency improves outcomes, with automated processes more effective than reliance on CVSS scores alone.
  7. Comprehensive vulnerability management, including regular assessments and penetration testing, strengthens cyber defenses.
  8. Thoughtful incident planning drives investment in positive security behaviors and robust control implementations.
  9. The full deployment of endpoint detection correlates strongly with reduced breach likelihood.
  10. Security centers enhance protection, particularly through continuous process improvement and active threat monitoring.

TAKEAWAYS:

  1. Integrating incident response exercises bolsters organizational resilience and security.
  2. Expanding EDR coverage is crucial for diminishing cyber threats.
  3. Comprehensive, advanced MFA deployment significantly reduces vulnerability.
  4. High-quality, advanced cyber training is key for effective threat recognition and response.
  5. Automating patch management processes enhances vulnerability management efficiency.

Microsoft to enforce MFA for Azure resource management in October

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/microsoft/microsoft-to-enforce-mfa-for-azure-resource-management-in-october/

ONE SENTENCE SUMMARY:

Starting October 2025, Microsoft will enforce multi-factor authentication for Azure to enhance security against unauthorized access attempts.

MAIN POINTS:

  1. Microsoft enforces MFA for Azure resource management starting October 2025.
  2. Enforcement aims to protect Azure clients from unauthorized access.
  3. MFA required for Azure CLI, PowerShell, SDKs, and APIs.
  4. Users should upgrade Azure CLI to version 2.76+ and PowerShell to 14.3+.
  5. Global administrators can delay compliance until July 2026.
  6. Enforcement applies to all Azure tenants in public cloud.
  7. Affected operations include Create, Update, and Delete.
  8. Monitoring available via authentication methods registration report.
  9. 99.99% of MFA-enabled accounts resist hacking.
  10. GitHub also enacts 2FA for active developers from January 2024.

TAKEAWAYS:

  1. MFA significantly enhances account security against unauthorized access.
  2. Upgrading tools ensures compatibility with MFA requirements.
  3. Administrators have until July 2026 for full compliance.
  4. Large-scale enforcement promises improved security for all Azure users.
  5. MFA adoption is part of a broader security initiative by Microsoft.

Risk-Based vs. Compliance-Based Security: Why One Size Doesn’t Fit All

Source: Cloud Security Alliance

Author: unknown

URL: https://www.vikingcloud.com/blog/risk-based-vs-compliance-based-security-why-one-size-doesnt-fit-all

ONE SENTENCE SUMMARY:

Integrating risk-based security with compliance frameworks enhances resilience against evolving cyber threats by prioritizing proactive threat mitigation over mere documentation.

MAIN POINTS:

  1. Compliance frameworks set baseline security but often miss nuanced cyber risks.
  2. Compliance-based security can create a false sense of security with inadequate threat response.
  3. Emerging threats often outpace compliance requirements, leading to vulnerabilities.
  4. Documentation focus neglects proactive security measures in compliance frameworks.
  5. Risk-based security targets high-impact threats for improved resource allocation.
  6. Integrating compliance with risk-based strategies bridges security gaps.
  7. Regular risk assessments identify specific organizational vulnerabilities.
  8. Security investments should prioritize high-risk areas using cyber risk models.
  9. Continuous threat monitoring is essential for adapting to new attack vectors.
  10. The Gordon–Loeb model optimizes security spending for maximum risk reduction.

TAKEAWAYS:

  1. Compliance is just a baseline; integrating a risk-based approach is crucial for true security.
  2. Risk-based security aligns with business goals, enhancing resilience and continuity.
  3. Conducting regular risk assessments identifies vulnerabilities overlooked by compliance.
  4. Prioritizing security spending in high-risk areas optimizes protection without overspending.
  5. Continuous monitoring and adaptation are essential to stay ahead of emerging threats.